Apple Update: Drop Everything and Patch iOS

Patch now. That's the message security experts have for all iOS users following Apple's release of a security update on Thursday.

"The Apple update is really rather important - there's not been much made of it, but the zero days it fixed were being exploited for real," Alan Woodward, a visiting professor at the University of Surrey, tells Information Security Media Group.

The update, iOS 12.1.4, works on iPhone 5s and later, iPad Air and later, and iPod touch 6th generation, Apple says.

iOS user? Update to 12.1.4 now. It has some important zero days fixed as well as that Group FaceTime flaw. The zero days were found in the wild so it's not just theoretical.

Zero-Day Attacks Exploited Flaws

The iOS update patches Foundation, a framework that Apple notes "provides a base layer of functionality for apps and frameworks, including data storage and persistence, text processing, date and time calculations, sorting and filtering, and networking." By exploiting a Foundation memory corruption flaw, designated CVE-2019-7286, an application can gain elevated privileges on a device.

The update also patches IOKit, Apple's library for developing kernel-resident device drivers. A memory corruption flaw, designated CVE-2019-7287, can be exploited to "execute arbitrary code with kernel privileges," according to the security updates. Apple says it has added better input validation to block exploitation.

Credit for reporting both of those flaws goes to "an anonymous researcher" as well as Clement Lecigne of Google Threat Analysis Group and Google Project Zero's Ian Beer and Samuel Groß.

Ben Hawkes, the team leader at Google's Project Zero security, says both zero-day flaws were being exploited in the wild.

CVE-2019-7286 and CVE-2019-7287 in the iOS advisory today (https://t.co/ZsIy8nxLvU) were exploited in the wild as 0day.

"Today's software update fixes the security bug in Group FaceTime," Apple says in a statement. "We again apologize to our customers and we thank them for their patience."

Apple says it has also addressed a newly discovered FaceTime flaw via a FaceTime server fix.

"In addition to addressing the bug that was reported, our team conducted a thorough security audit of the FaceTime service and made additional updates to both the FaceTime app and server to improve security. This includes a previously unidentified vulnerability in the Live Photos feature of FaceTime," Apple says. "To protect customers who have not yet upgraded to the latest software, we have updated our servers to block the Live Photos feature of FaceTime for older versions of iOS and macOS."

Saga of the FaceTime Flaw

After the FaceTime flaw was discovered, Apple took Group FaceTime offline, pending a fix.

After Apple began pushing the patch on Thursday, Group FaceTime was back online.

The FaceTime flaw, CVE-2019-6223, was discovered by 14-year-old Grant Thompson, of Tucson, Arizona, who found the bug around Jan. 19 while organizing a Fortnight video game session. He and his mother attempted to contact Apple - by call, tweet and fax - to report the flaw.

Apple's bug bounty program can reward researchers with up to hundreds of thousands of dollars in compensation.

But Apple only appears to have paid attention after the flaw was documented by 9to5Mac.

"We are committed to improving the process by which we receive and escalate these reports, in order to get them to the right people as fast as possible," the company said. "We take the security of our products extremely seriously, and we are committed to continuing to earn the trust Apple customers place in us."

In its Thursday security update, Apple gave a shout-out to Thompson and his high school - as well as another researcher - for reporting the flaw:

Apple told news outlets, without offering financial specifics, that it compensated Thompson with a bug bounty for finding the flaw and gave him a gift to help cover his education expenses.

Daven Morris, also given credit in Apple's security update, reported the flaw separately from Thompson. Morris, a 27-year-old software developer, told The Wall Street Journal that he'd reported the flaw to Apple on Jan. 27, several days after the Thompsons and one day before the details of the flaw became publicly known, saying he'd discovered it about a week earlier when planning a trip with friends.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.asia, you agree to our use of cookies.